| Title | HKUDS nanobot <= 0.1.5.post3 Missing Origin Validation in WebSockets (CWE-1385) |
|---|
| Description | # Technical Details
A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the `setupClient` method in `bridge/src/server.ts` of nanobot.
The application fails to validate the Origin header during WebSocket handshakes when `BRIDGE_TOKEN` is unset, allowing untrusted cross-site connections.
# Vulnerable Code
File: bridge/src/server.ts
Method: setupClient
Why: The connection handler accepts any client connection without Origin validation when the optional `BRIDGE_TOKEN` is not configured, parsing and executing untrusted payload as bridge commands.
# Reproduction
1. Ensure the victim is running Nanobot WhatsApp Bridge locally with `BRIDGE_TOKEN` unset (the default configuration).
2. Have the victim visit an attacker-controlled webpage containing a malicious WebSocket client.
3. The webpage connects to `ws://127.0.0.1:3001` and sends bridge commands (e.g., `send` or `send_media`).
4. The bridge processes the commands, bypassing origin trust boundaries.
# Impact
- Unauthorized local session control and message sending via the bridge.
- Exposure of bridge-delivered WhatsApp events and QR flow metadata.
- Abuse of the victim's active messaging context. |
|---|
| Source | ⚠️ https://gist.github.com/YLChen-007/023d2eb61c05dafc9bdc44a95938fe7a |
|---|
| User | Eric-b (UID 96354) |
|---|
| Submission | 05/14/2026 07:13 (2 months ago) |
|---|
| Moderation | 06/14/2026 09:05 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 357650 [HKUDS nanobot up to 0.1.4 Bridge API bridge/src/server.ts BRIDGE_TOKEN missing origin validation in websockets] |
|---|
| Points | 0 |
|---|